Table Of Contents

Configuring the Audit Log

With audit logging, configuration changes to the Cisco Unified Communications Manager or Cisco Unity Connection system get logged in separate log files for auditing. This chapter contains the following topics:

Understanding Audit Logging

With audit logging, configuration changes to the Cisco Unified Communications Manager or Cisco Unity Connection system get logged in separate log files for auditing. The Cisco Audit Event Service, which displays under Control Center—Network Services in Cisco Unified Serviceability, monitors and logs any configuration change to the Cisco Unified Communications Manager or Cisco Unity Connection system by a user or as a result of the user action. For a Cisco Unified Communications Manager Business Edition 5000 system, this service supports both Cisco Unified Communications Manager and Cisco Unity Connection.

You access the Audit Log Configuration window in Cisco Unified Serviceability to configure the settings for the audit logs.

Audit logging contains the following parts:

•Audit logging framework—The framework comprises an API that uses an alarm library to write audit events into audit logs. An alarm catalog that is defined as GenericAlarmCatalog.xml applies for these alarms. Different Cisco Unified Communications Manager or Cisco Unity Connection components provide their own logging.

The following example displays an API that a Cisco Unified Communications Manager component can use to send an alarm:

User ID: CCMAdministrator

Client IP Address: 172.19.240.207

Severity: 3

EventType: ServiceStatusUpdated

ResourceAccessed: CCMService

EventStatus: Successful

Description: CallManager Service status is stopped

•Audit event logging—An audit event represents any event that is required to be logged. The following example displays a sample audit event:

Tip Be aware that audit event logging is centralized and enabled by default. An alarm monitor called Syslog Audit writes the logs. By default, the logs are configured to rotate. If the AuditLogAlarmMonitor cannot write an audit event, the AuditLogAlarmMonitor logs this failure as a critical error in the syslog file. The Alert Manager reports this error as part of a SeverityMatchFound alert. The actual operation continues even if the event logging fails. All audit logs get collected, viewed and deleted from Trace and Log Central in the Cisco Unified Real-Time Monitoring Tool.

Be aware that only a user with an audit role can change the audit log settings. By default, for Cisco Unified Communications Manager, the CCMAdministrator possesses the audit role after fresh installs and upgrades. The CCMAdministrator can assign any user that has auditing privileges to the Standard Audit Users group in the User Group Configuration window in Cisco Unified Communications Manager Administration. If you want to do so, you can then remove CCMAdministrator from the Standard Audit Users group.

For Cisco Unity Connection, the application administration account that was created during installation has the Audit Administrator role and can assign other administrative users to the role. You can also remove the Audit Administrator role from this account.

The Log Partition Monitor (LPM) looks at the Enable Purging option to determine whether it needs to purge audit logs. When you check this check box, LPM purges all the audit log files in RTMT whenever the common partition disk usage goes above the high water mark; however, you can disable purging by unchecking the check box.

If purging is disabled, the number of audit logs continues to increase until the disk is full. This action could cause a disruption of the system. A message that describes the risk of disabling the purge displays when you uncheck the Enable Purging check box. Be aware that this option is available for audit logs in an active partition. If the audit logs reside in an inactive partition, the audit logs get purged when the disk usage goes above the high water mark.

You can access the audit logs by choosing Trace and Log Central > Audit Logs in RTMT.

Enable Log Rotation

The system reads this option to determine whether it needs to rotate the audit log files or it needs to continue to create new files. The maximum number of files cannot exceed 5000. When the Enable Rotation option is checked, the system begins to overwrite the oldest audit log files after the maximum number of files gets reached.

Enter the maximum number of files that you want to include in the log. The default setting specifies 250. The maximum number specifies 5000.

Maximum File Size

Enter the maximum file size for the audit log. The file size value must remain between 1 MB and 10 MB. You must specify a number between 1 and 10.

Database Audit Log Filter Settings

Enable Audit Log

When you enable this check box, an audit log gets created for the Cisco Unified Communications Manager and Cisco Unity Connection databases. Use this setting in conjunction with the Debug Audit Level setting, which allows you create a log for certain aspects of the database.

Debug Audit Level

This setting allows you to choose which aspects of the database you want to audit in the log. From the drop-down list box, choose one of the following options. Be aware that each audit log filter level is cumulative.

•Schema—Tracks changes to the setup of the audit log database (for example, the columns and rows in the database tables).

•Administrative Tasks—Tracks all administrative changes to the Cisco Unified Communications Manager system (for example, any changes to maintain the system) plus all Schema changes.

Tip Most administrators will leave the Administrative Tasks setting disabled. For users who want auditing, use the Database Updates level.

•Database Updates—Tracks all changes to the database plus all schema changes and all administrative tasks changes.

Tip Choose the Database Reads level only when you want to get a quick look at the Cisco Unified Communications Manager or
Cisco Unity Connection system. This level uses significant amounts of system resources and only should be used for a short time.

Enable Audit Log Rotation

The system reads this option to determine whether it needs to rotate the database audit log files or it needs to continue to create new files. When the Audit Enable Rotation option is checked, the system begins to overwrite the oldest audit log files after the maximum number of files gets reached.

When this setting is unchecked, audit log ignores the Maximum No. of Files setting.

Maximum No. of Files

Enter the maximum number of files that you want to include in the log. Ensure that the value that you enter for the Maximum No. of Files setting is greater than the value that you enter for the No. of Files Deleted on Log Rotation setting.

You can enter a number from 4 (minimum) to 40 (maximum).

No. of Files Deleted on Log Rotation

Enter the maximum number of files that the system can delete when database audit log rotation occurs.

The minimum that you can enter in this field is 1. The maximum value is 2 numbers less than the value that you enter for the Max No. of Files setting; for example, if you enter 40 in the Maximum No. of Files field, the highest number that you can enter in the No. of Files Deleted on Log Rotation field is 38.